From e0bebaa854b7fbb51c092d46e64e8143c8047d33 Mon Sep 17 00:00:00 2001 From: Yuriy Bezsonov Date: Thu, 2 Jul 2026 09:33:54 +0200 Subject: [PATCH 1/2] fix(cdk): Pin jackson-databind to 2.21.4 to avoid GHSA-5jmj-h7xm-6q6v jackson-databind 2.22.0 is affected by GHSA-5jmj-h7xm-6q6v (case- insensitive deserialization bypasses per-property @JsonIgnoreProperties) and no patched 2.22.x release exists yet. Downgrade to 2.21.4, the highest release outside the vulnerable range. --- infra/cdk/pom.xml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/infra/cdk/pom.xml b/infra/cdk/pom.xml index 3da05d1b..8b9dfdf9 100644 --- a/infra/cdk/pom.xml +++ b/infra/cdk/pom.xml @@ -104,7 +104,10 @@ com.fasterxml.jackson.core jackson-databind - 2.22.0 + + 2.21.4 From 857e51d086da9ca5c3568a149be688202a1bff2f Mon Sep 17 00:00:00 2001 From: Yuriy Bezsonov Date: Thu, 2 Jul 2026 10:21:34 +0200 Subject: [PATCH 2/2] chore(dependabot): Exclude vendored META-INF pom from scans The authorization server ships a vendored artifact pom under META-INF/ that is dependency metadata, not a buildable module. Exclude it from Maven scans so Dependabot stops opening noise PRs against it. --- .github/dependabot.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 6ad0ceb3..101f7e1b 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -12,6 +12,10 @@ updates: - package-ecosystem: maven directories: - "**/*" + # Exclude the vendored artifact pom shipped inside the authorization + # server's META-INF/ (it is dependency metadata, not a buildable + # module) so Dependabot stops opening noise PRs against it. + - "!/samples/security/oauth/authorization-server/META-INF/**" schedule: interval: "monthly" open-pull-requests-limit: 15